IBM Support

Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Automation (CVE-2021-44228)

Security Bulletin


Summary

A remote code execution vulnerability has been reported for log4j-core-2.x libraries, which are used in various components of IBM Cloud Pak for Business Automation.

Vulnerability Details

CVEID:   CVE-2021-44228
DESCRIPTION:   Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
ICP4A

V19.x
V20.x
V21.0.1
V21.0.2 before 21.0.2-IF006
V21.0.3 before 21.0.3-IF001 (in 21.0.3, only the ADP component is affected)

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Please follow this IBM PSIRT blog post to keep up to date with additional information around this vulnerability and how it relates to your IBM products.

For versions before 21.0.3, the recommended solution is to upgrade to

  • IBM Cloud Pak for Business Automation 21.0.2 and apply IF006 or later
  • IBM Cloud Pak for Business Automation 20.0.3 and apply IF012 or later

as soon as possible. 

For version 21.0.3, the recommended solution is to apply 21.0.3-IF001 or later as soon as possible, see Readme for Cloud Pak for Business Automation 21.0.3-IF001 for ADP for details.

IBM Cloud Pak for Automation can make use of components in IBM Automation Foundation (IAF). Fixes for CVE-2021-44228 will be included in IAF 1.3.1. New installations of Cloud Pak for Automation 21.0.2-IF006 and later automatically consume the IBM Automation Foundation 1.3 channel. Existing installations upgrading to 21.0.2-IF006 or later need to manually update the IAF channel as in explained in Readme for Cloud Pak for Business Automation 21.0.2 IF006.

IBM Cloud Pak for Automation allows building custom apps on top of the platform. These custom apps can bring their own copy of the vulnerable Log4j library. You must carefully review all your custom apps to identify and upgrade all vulnerable use of the log4j library.

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

17 Dec 2021: Initial Publication
18 Dec 2021: added 21.0.3 (ADP component only) as affected
15 Jan 2022: added 20.0.3-IF012 fix

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7JTW","label":"IBM Cloud Pak for Automation"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.x, 20.0.x, 21.0.1, 21.0.2, 21.0.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 January 2022

Initial Publish date:
17 December 2021

UID

ibm16527848

Page Feedback